How to Migrate EFS Files and Certificates
Published: February 29, 2012
Updated: May 31, 2012
Applies To: Windows 7, Windows 8
This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the /efs options, see ScanState Syntax.
Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 5.0 fails if an encrypted file is found (unless you specify an /efs option). Therefore, you must specify /efs:abort | skip | decriptcopy | copyraw | hardlink with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
|The /efs options are not used with the LoadState command.|
Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
Cipher /D /S:<PATH>
Where <Path> is the full path of the topmost parent directory where the encryption attribute is set.